A previously unidentified threat cluster, codenamed UNK_SmudgedSerpent, has been linked to a series of cyberattacks targeting academics and foreign policy experts in the U.S. during June-August 2025. These attacks occurred amidst heightened geopolitical tensions between Iran and Israel. The threat actor employed domestic political themes related to Iran as lures in its phishing campaigns, exhibiting tactics similar to known Iranian espionage groups.
The campaign utilized impersonations of prominent U.S. foreign policy figures to lend credibility to its communications. Over 20 subject matter experts at a U.S.-based think tank focusing on Iran policy were targeted. The attackers engaged targets in conversations before attempting to steal their Microsoft account credentials through malicious links. In some instances, fake login pages mimicking Microsoft Teams were used.
The threat actor deployed legitimate Remote Monitoring and Management (RMM) software, specifically PDQ Connect, disguised as a Microsoft Teams installer. There is also evidence suggesting hands-on-keyboard activity to install additional RMM tools like ISL Online. The primary objective appears to be intelligence gathering, focusing on Western policy analysis and strategic technology related to Iran. Proofpoint suggests this indicates an evolution and potential cooperation between various Iranian intelligence entities and cyber units.
The attackers’ methods included references to OnlyOffice URLs and health-themed domains, reminiscent of activity previously observed from the Iranian group TA455. Further analysis by Proofpoint indicated that the threat actor engaged in hands-on-keyboard activity to install additional RMM tools. The campaigns align with Iran’s intelligence collection priorities, focusing on Western policy analysis, academic research, and strategic technology.